MUNICIPIOS EN LOS QUE NO SE HAYA REALIZADO UNA

Each of the underlying cultural levels will contribute towards the overall strength and stability of such a culture. For example, if an organization has espoused values that are in line with recommended best practices for security, this would make the overall security better. Conversely, should the espoused values fail to address all relevant security related issues, the overall security would be weaker.

The combination of the espoused values, and the ”elasticity effect”, of the shared tacit assumptions and the user knowledge on these espoused values, results in the visible, and measurable artifacts. From a security viewpoint, the artifact level is a very good indication of the overall security of the or-ganization’s information, since this level reflects what actually happens in the day to day operations. In cases where the various levels are not in equi-librium this artifact level becomes more difficult to predict. In such cases the degree of elasticity in the specific system would determine how long it would take before the system ”settles” into equilibrium. In infinitely elastic systems this equilibrium might never be attained, whilst completely inelastic systems would always be in equilibrium. In terms of the degree of elasticity in a security culture, the knowledge level also plays a very specific role in that it can act as an ”inhibitor” of the elastic effect. A lack of knowledge can prevent employees who want to act securely from doing so. For the specific areas where the necessary security knowledge is lacking, this lack results in an infinite degree of elasticity in the security culture. The visible behavior (artifact level) cannot move towards equilibrium because the employees lack the means to provide the desired behavior.

Figures 5.11 to 5.15 show a few possible effects interactions between the various levels of culture could have on the overall state of the organization’s information security.

SL & BL

AF

More Secure

Less Secure EV

SA

KN

Level of Security

BL = Minimum Acceptable Baseline SL = Nett Security Level

AF= Artifacts

EV = Espoused Values SA= Shared Tacit Assumptions KN= Knowledge

Figure 5.11: ”Neutral” and Stable Culture.

The examples in Figures 5.11 to 5.15 assume that the desirability of the various levels can be quantified and normalized to the same scale. In other words, it is assumed that, for example, the desirability of the relevant es-poused values can be measured and expressed as a value that indicates the contribution of this level towards the overall security. It is also assumed that the other levels can be expressed in the same way, and that the scale of such measurements can be normalized in such a way that these values will indicate the relative desirability of that level when compared to the other levels. The line marked SL(Security Level) represents the nett effect of the interactions between various levels of the culture. The five examples can be interpreted as follows:

Figure 5.11: ”Neutral” and Stable. The desirability of the various levels of culture is ”neutral”, or average. In other words the strength of each level neither exceeds, nor falls short, of the minimum acceptable baseline standards. The Nett Security Level (SL) perfectly overlaps the Baseline (BL).

Since all the levels have the same level of desirability, the various levels will neither negate nor reinforce the effects of other levels on the overall security.

The effects of such a culture would thus be predictable and stable.

Figure 5.12: Insecure and ”Mostly Stable”. Both the espoused val-ues and the shared tacit assumptions in this culture are of sufficient strength

BL = Minimum Acceptable Baseline SL = Nett Security Level

AF= Artifacts

EV = Espoused Values SA= Shared Tacit Assumptions KN= Knowledge

SL

AF

More Secure

Less Secure EV

SA

KN

Level of Security

BL

Figure 5.12: Insecure and ”Mostly Stable” Culture.

to meet the minimum acceptable baseline standard. However, in this culture, the employees do not have the requisite level of information security related knowledge. It is thus possible for the measurable artifacts to fall short of the minimum acceptable baseline. For example, either the policy dealing with a specific control might be lacking because the person(s) responsible for cre-ating the policy lacks the necessary knowledge, or the knowledge needed to implement this control in day-to-day operations might be lacking amongst the responsible employees. In both such cases, the resulting artifacts might be weaker than expected. This misalignment between the various levels also means that it would be difficult to predict the exact relative strength of the overall security level. In this case one could probably assume that the culture will be mostly predictable, hence stable, because the lack of knowledge would probably not apply equally to all controls. This culture would also have an almost infinite degree of elasticity and the artifacts would thus never per-fectly align with the espoused values and shared tacit assumptions. This is due to the lack of supporting information security knowledge. The lack of knowledge acts as an ”anchor” and prevents the artifacts from aligning with the other layers. By addressing the lack of knowledge the degree of elasticity inherent in this culture could be reduced. This would increase the rate at which a more desirable state is reached where the artifacts align with the shared tacit assumptions and espoused values.

BL = Minimum Acceptable Baseline SL = Nett Security Level

AF= Artifacts

EV = Espoused Values SA= Shared Tacit Assumptions KN= Knowledge

SL

AF

More Secure

Less Secure

EV

SA

KN

Level of Security

BL

Figure 5.13: Insecure and Unstable Culture.

Figure 5.13: Insecure and Unstable. The various levels contributing to the culture are not aligned. This would mean that the nett effects of the culture might be unpredictable, due to the opposing forces at play in this culture. The espoused values are very desirable, but the users lack the requisite knowledge and do not have the desired beliefs and values, resulting in a measurable artifact level that is not secure. For any specific security control, a user may, or may not, have the requisite knowledge to fulfill his/her role in the implementation of that specific control. That same user could also agree with the relevant espoused value, or could have beliefs that are contrary to that espoused value. It would thus be very difficult to predict the nett security level of this culture. Such a culture would not be a desirable culture.

In order to make this culture more desirable it would be necessary to address both the lack of knowledge and the underlying shared tacit assumptions of the employees. Once these aspects have been addressed the various levels of the culture will re-align to become more ”stable”. The rate at which this re-alignment will take place would be dependent on the degree of elasticity present in the system.

Figure 5.14: Secure and Unstable. The various levels contributing to the culture are not aligned. The espoused values are desirable, and the users have adequate knowledge. The high level of user knowledge in this case somewhat negates the fact that the users do not have the desired beliefs and

BL = Minimum Acceptable Baseline SL = Nett Security Level

AF= Artifacts

EV = Espoused Values SA= Shared Tacit Assumptions KN= Knowledge

SL

AF

More Secure

Less Secure EV

SA

KN

Level of Security

BL

Figure 5.14: Secure and Unstable Culture.

values, resulting in an overall culture that is more secure than the minimum acceptable baseline. However, this culture should be considered not desirable, because its effects cannot always be predicted. It might be possible for the users to behave insecurely with regards to a specific security control because the specific control conflicts with their beliefs (Schlienger & Teufel, 2003).

In this culture the knowledge level is already sufficient to enable employees to behave securely. However, there is still a gap between the knowledge level and the espoused values. This gap will have to be addressed before the culture could possibly align with the espoused values. The degree of elasticity in this culture could be reduced by addressing the shared tacit assumptions of employees. If employees can be convinced of the importance of their respective roles and responsibilities towards the organization’s information security the culture should start to align itself.

Figure 5.15: Secure and Unstable. As in Figure 5.14 the various levels contributing to the culture are not aligned. In this case the figure models the scenario where the organization is small and all staff are skilled IT professionals who have both the requisite knowledge levels and the per-sonal belief systems that enable secure behavior. In such a case it is quite likely to have a secure artifact level despite the fact that there is little or no espoused values. This is still not a desirable culture. Without adequate security policies (espoused values) in place, there can be no guarantees of

BL = Minimum Acceptable Baseline SL = Nett Security Level

AF= Artifacts

EV = Espoused Values SA= Shared Tacit Assumptions KN= Knowledge

SL

AF

More Secure

Less Secure EV

SA

KN

Level of Security

BL

Figure 5.15: Secure and Unstable Culture.

desirable behavior. The appointment of additional staff members who might lack the underlying security knowledge can easily move the observable arti-facts in this model back towards the less secure side. Unless the organization actively addresses the lack of espoused values, this culture will have an in-finite degree of elasticity. The espoused values will never align themselves without active intervention.

The above examples only reflect a few possible scenarios. It should, how-ever, be clear that the nett effect of any information security culture can be influenced, either positively, or negatively, by how ”secure” the underlying levels of such a culture is. In such a model it might also be possible to deduce the relative state of one or more of the cultural levels. For example, if the organization has good espoused values, but the measurable artifacts indicate bad security, it might be inferred that the employees lack either the required knowledge or the desired attitude. In the cultures represented by Figure 5.14 and Figure 5.15 the culture can probably be ”improved” by involving em-ployees in the process of creating the espoused values. In both these cultures involving the employees in a ”negotiation” process when creating espoused values could reduce the ”gap” between the espoused values and shared tacit assumption layers. In both cases this would make the culture more pre-dictable, and thus more desirable. In all cases insight into the degree of elasticity inherent in the culture can help guide decisions as to what course

would be most appropriate to help manage the culture. If a system has in-finite elasticity it will never align itself unless the underlying cause for this infinite elasticity is addressed. If management wants to see faster changes at the artifacts layer, i.e. how people behave on a day to day basis, steps should be taken to decrease the degree of elasticity. From a management perspective, the ”perfect security culture” would be one that is completely inelastic. Such a culture will always instantly reflect changes in the espoused values of the organization.

5.7 Conclusion

This chapter suggested that, for an effective information security culture, the requisite information security knowledge amongst an organization’s users could be seen as a fourth layer to Schein’s (Schein, 1999a) model for corporate culture. The various interactions between the layers of such an information security culture were then presented conceptually.

The conceptual model presented showed that the nett overall effect that an information security culture would have on the organization’s information security efforts would depend on the relative desirability, or strength, of each underlying level in such a culture. Furthermore, the alignment of the strengths of the individual underlying culture levels relative to the other levels, would to a large extent determine how predictable, hence stable, the effects of such a culture would be. The ideal culture would thus be one where all four underlying levels are stronger than the minimum acceptable baseline, and are also perfectly aligned relative to each other. The example in Figure 5.10 would be such an ideal culture.

The model also attempted to show that management demands and em-ployees’ participation are strongly interrelated. In an information security culture the visible artifacts are thus dependent on both the supporting knowl-edge as well as this relationship between espoused values (management de-mands) and shared tacit assumptions (employees’ underlying beliefs and val-ues). In any information security culture a certain degree of elasticity will be present. This elasticity will determine whether or not the shared tacit assumptions will over time align themselves to the espoused values of the organization. It will also determine how fast changes will occur if the system

is not infinitely elastic. The lower the degree of elasticity in the system, the faster it would take for a possible re-alignment to happen. From a manage-ment perspective it would thus be highly desirable to reduce the degree of elasticity in such a culture as much as possible.

In its current form, the model’s primary contribution is at a conceptual level where it aids in the understanding of information security culture. The current model has limited ”hands-on” use. In a scenario where an organi-zation’s measurable artifacts are undesirable, a manager who is sure that the organization’s espoused values are of adequate strength and who is also certain his/her staff members have adequate knowledge, might infer that the employees’ beliefs and values are not in line with the espoused values. Based on the presented model, such a manager will also be able to deduce that he/she can make the artifacts easier to predict by addressing the shared tacit assumptions, for example by trying to convince the employees to buy into the espoused values. Through campaigns aimed at improving the employees’

attitude towards security, management can reduce the degree of elasticity inherent in the culture and thus speed up the pace at which the measurable artifacts become more in line with the espoused values. Alternatively the espoused values could be ”relaxed” to be more in line with the shared tacit assumptions, similar to the idea of adjusting the governing variables in a double-loop learning system (Smith, 2001). This might result in a culture that is slightly less secure but more predictable.

In either of the above mentioned approaches, use of the current model would only provide very vague guidance to someone wanting to manage an information security culture. In order for this model to become useful as a

”hands-on” cultural management tool additional research would be required.

If one could accurately quantify and normalize the various levels at play in this conceptual model it should be possible to use the model to manage specific aspects of an information security culture more precisely. The as-sumption, made when presenting the example, namely that the desirability of the various levels can in fact be quantified and normalized to the same scale, should by no means be taken as an assertion made by this chapter. The aim of the chapter was not to present such metrics and normalization processes but rather to show, at a certain level of abstraction, how this conceptual model could be used to reason about information security culture. It should,

however, be possible to quantify and normalize the various factors for certain subsets of controls. For example, it might be possible to turn the presented conceptual model into a working model for a smaller sub-problem such as mapping the relationships between the four levels for password usage. If the required processes and metrics are developed, the conceptual framework might also play a valuable role in the management of an information security culture. For example; a metric that quantifies the actual degree of elasticity in an information security culture would be a very useful tool to have. This type of usage for the presented model could possibly be addressed by future research efforts. For the present, the contention of this thesis is simply that the conceptual model presented, could assist in improving the understanding of an information security culture. The work in this chapter should thus be seen as an attempt to lay a solid foundation on which future research could be built.

Finally, this chapter highlighted the important role relevant information security knowledge plays in an information security culture. From an infmation security viewpoint, it is vital for organizations to ensure that or-ganizational employees have the requisite information security knowledge to perform their day-to-day activities in a secure manner. An appropriate infor-mation security educational approach is thus a vital building block towards the fostering of an information security culture. The next chapter will focus on a pedagogically sound approach towards the design of such an information security educational program.

Chapter 6